Manual Chapter : Configuring Dynamic ACLs

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Configuring Dynamic ACLs

Overview: Applying ACLs from external servers

You can apply ACLs from Active Directory, RADIUS, or LDAP servers using the Dynamic ACL action from an Access Policy Manager® access policy.

Task summary

After you configure ACLs in a supported format on an Active Directory, LDAP, or RADIUS server, you can configure a dynamic ACL action to extract and use the ACLs.

Task list

About Dynamic ACL

A dynamic ACL is an ACL that is created on and stored in an LDAP, RADIUS, or Active Directory server. A Dynamic ACL action dynamically creates ACLs based on attributes from the AAA server. Because a dynamic ACL is associated with a user directory, this action can assign ACLs specifically per the user session.

Note: Access Policy Manager® supports dynamic ACLs in an F5® ACL format, and in a subset of the Cisco ACL format.

A Dynamic ACL action provides these configuration elements and options:

Source
Specifies an option and the attribute from which the Dynamic ACL action extracts ACLs: Custom indicates an F5 ACL from an Active Directory, RADIUS, or LDAP directory; Cisco AV-Pair VSA indicates a Cisco AV-Pair ACL from a RADIUS directory; the field is prepopulated with:  session.radius.last.attr.vendor-specific.1.9.1.
ACL
Specifies the dynamic ACL container configured on the BIG-IP® system.
Format
Specifies the format (F5 or Cisco) in which the ACL is specified.
Note: To succeed, a Dynamic ACL action must follow an authentication or query action to capture the authentication variables that contain the dynamic ACL specification.

Configuring a dynamic ACL container

A dynamic ACL container provides an unconfigured ACL that you select when you configure a dynamic ACL action in an access policy.
  1. On the Main tab, click Access Policy > ACLs .
    The ACLs screen opens.
  2. Click Create.
    The New ACL screen opens.
  3. In the Name field, type a name for the access control list.
  4. From the Type list, select Dynamic.
  5. Optional: In the Description field, add a description of the access control list.
  6. Optional: From the ACL Order list, specify the order in which to add the new ACL relative to other ACLs:
    • Select After to add the ACL after a specific ACL and select the ACL from the list.
    • Select Specify to type the specific number of the ACL in the field.
    • Select Last to add the ACL at the last position in the list.
  7. From the Match Case for Paths list, select Yes to match case for paths, or No to ignore path case.
    This setting specifies whether alphabetic case is considered when matching paths in an access control entry.
  8. Click the Create button.
    The ACL Properties screen opens; it displays the newly configured dynamic ACL container.

Adding a dynamic ACL to an access policy

Before you start this task, configure an access profile and a dynamic ACL container. Add an authentication action to the access policy before the dynamic ACL action so that Access Policy Manager® can first capture authentication variables that contain the dynamic ACL specification.
Configure a dynamic ACL action to extract and apply an ACL from an AAA server (Active Directory, LDAP, or RADIUS).
Note: Because a dynamic ACL is associated with a user directory, you can use one to assign ACLs specifically per the user session.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. From the Assignment tab, select Dynamic ACL, and click Add Item.
    A properties screen opens.
  5. To add an ACL, click the Add new entry button.
    A new row opens in the table.
  6. Select one of these from the list:
    • Custom Select to use an F5 ACL from an AD, RADIUS, or LDAP directory.
    • Cisco AV-Pair VSA Select to use a Cisco AV-Pair ACL from a RADIUS directory.
  7. In the Source field, type the attribute from which the Dynamic ACL action extracts ACLs.
    If you are using Cisco AV-Pair VSA from a RADIUS server, the field is prepopulated with session.radius.last.attr.vendor-specific.1.9.1.
  8. From the ACL list, select the dynamic ACL container that you configured previously.
  9. From the Format list, select the format in which the ACL is specified.
  10. Optional: To configure another ACL, click the Add new entry button and repeat the configuration steps.
  11. Select Save to save any changes and return to the access policy.
  12. Complete the access policy:
    1. Add any additional access policy items you require.
    2. Change the ending from Deny to Allow on any access policy branch on which you want to grant access.
  13. Click the Apply Access Policy link to apply and activate the changes to the access policy.
The access policy is configured to extract an ACL from an AAA server and apply it when processing occurs on the access policy branch.
To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

F5 ACL format

Specifies F5® ACL syntax and provides examples. This syntax applies to both static and dynamic ACLs.

Specify an F5 ACL using this syntax.

comment { action [logging_options] context } comment { action [logging_options] context }...

The syntax allows multiple ACLs in a single string along with comments.

comment

Any characters before an open curly brace ({) or after a closed curly brace (}) are treated as comments. Comments are optional. They have no effect on the ACLs. These examples show identical ACLs with different comments; APM® interprets them as being the same.

String comments

This is my HTTP server ACL { allow tcp any 1.2.3.4:80 } This is my default ACL { reject ip any any }

A space as a comment

{ allow tcp any 1.2.3.4:80 } { reject ip any any }

Newline comments

{ allow tcp any 1.2.3.4:80 }\n

{ reject ip any any }\n

Vertical bar comments

| { allow tcp any 1.2.3.4:80 } | { reject ip any any } |

action

This is an action that the ACL takes on traffic that matches the ACL context.

allow Allows the specified traffic.

reject Rejects the specified traffic and sends a TCP RST code to the initiator.

discard Silently drops the packets.

continue Skips checking against the remaining access control entries in this ACL, and continues evaluation at the next ACL.

logging_options

Specifying a logging option is optional.

log Enables default logging for the ACL

log-packet Writes packet-level logs to the packet filter log file

log-verbose Writes verbose logs

log-summary Writes summary logs

log-config Writes configuration logs to the configuration log file

context

Context specifies a protocol followed by addresses, networks, and ports for the ACL action.

http HTTP protocol traffic. Requires that you specify an HTTP or HTTPS URL in the ACL definition

udp UDP traffic only

tcp TCP traffic only

ip IP protocol traffic

Note: F5 ACL format treats IP protocol number zero (0) as a wildcard, meaning that it applies to all IPv4 and IPv6 traffic.

For example, { reject ip 0 any any } is the equivalent of { reject ip any any }.

Address, network, and port specification

Specify addresses in a pair separated by a space. The first address in the pair should match the host, and the second address in the pair should match the destination. This syntax:

any[/mask][:port]

matches any host or IP address with an optional subnet mask or a port. For example,

{ allow tcp any 1.2.3.4 }

allows TCP traffic between any host and the destination IP address 1.2.3.4.

{ allow tcp any/8 1.2.3.4 }

allows TCP traffic between any host within the subnet 255.0.0.0 and the destination IP address 1.2.3.4.

{ allow tcp any/8:8000 1.2.3.4 }

allows TCP traffic between any host within the subnet 255.0.0.0 on port 8000 and the destination IP address 1.2.3.4.

This syntax:

IP address[/mask][:port]

matches a specific IP address with an optional subnet mask or a port. For example,

{ allow tcp 1.1.1.1 1.2.3.4 }

allows TCP traffic between the host IP address 1.1.1.1 and the destination IP address 1.2.3.4.

{ allow tcp 1.1.1.1:22 1.2.3.4 }

allows TCP traffic between the host IP address 1.1.1.1 on port 22 and the destination IP address 1.2.3.4.

F5 ACL with the IP protocol

This example shows how to specify an IP protocol address in F5 ACL format. An IP protocol number, 51, and an address pair specification follow the context word ip.
{ allow ip 51 any 1.2.3.4 }

F5 ACL with the TCP or UDP protocol

This example shows how to specify a TCP or UDP protocol address in F5 ACL format. An address pair specification follows the context word (tcp or udp).
{ allow tcp any 1.2.3.4 }
{ allow udp any 1.2.3.4 }

F5 ACL with the HTTP protocol

These examples show how to specify an HTTP protocol address in F5 ACL format. A host address, destination address, and URL follow the context word http. The URL specification supports wildcards with glob matching.
{ allow http any 1.2.3.4 https://www.siterequest.com/* }
{ allow http any 1.2.3.0/24 http://*.siterequest.com/* }
{ allow http any 1.2.3.0/24 http://*.siterequest.???/* }

Cisco ACL format

Specifies the subset of Cisco ACL syntax that Access Policy Manager® supports and provides examples.

Usage

On a RADIUS server, Access Policy Manager supports dynamic ACLs that use the subset of the Cisco ACL format described here.

Prefix

You must specify a prefix. For IPv4, use ip:inacl#X= where X is an integer used as a rule identifier. For IPv6, use ipv6:inacl#X=.

Keywords

These keywords are mapped with the F5 log-packet format: log and log-input.

These keywords are not supported: tosestablishedtime-range, dynamic, and precedence.

Supported specification for Cisco ACL for IP protocol

 {ip|ipv6}:inacl#
                        X={deny|permit}
      {ip|ipv6} source 
                        source-wildcard 
                        destination 
                        destination-wildcard
      [log|log-input] 

For example:

ipv6:inacl#10=permit ipv6 any any log

Supported specification for Cisco ACL for TCP protocol

{ip|ipv6}:inacl#
                     X={deny|permit}
      tcp
                      source 
                     source-wildcard 
                     [operator [port]] 
                     destination 
                     destination-wildcard
                         [operator [port]] [log|log-input] 

For example:

ip:inacl#10=permit tcp any host 10.168.12.100 log

Supported specification for Cisco ACL for UDP protocol

{ip|ipv6}:inacl#
                        X={deny|permit}
      udp
                         source 
                        source-wildcard 
                        [operator [port]] 
                        destination 
                        destination-wildcard
                            [operator [port]] [log|log-input] 

For example:

ip:inacl#2=deny udp any any log